ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Windows Client V7 to AIX Qmgr v6 via SVRCONN/ssl.

Post new topic  Reply to topic
 Windows Client V7 to AIX Qmgr v6 via SVRCONN/ssl. « View previous topic :: View next topic » 
Author Message
flaufer
PostPosted: Thu Feb 24, 2011 1:21 am    Post subject: Windows Client V7 to AIX Qmgr v6 via SVRCONN/ssl. Reply with quote

Acolyte

Joined: 08 Dec 2004
Posts: 59
Folks,

I'm kinda stuck here...

This is my setup:

Queue manager 6.0.2.1 on AIX (soon to be upgraded to 7.0.1.3) with a cms holding the queue manager's certificate labeled "ibmwebspheremqQMRNAME" (all in small letters) and the keychain (root CA-intermediate CA-online CA). The qmgrs certificate is signed by the online CA.

Connection using a java client (with client certificate in JKS also signed by online-CA) to a SVRCONN channel works well (filter be OU=).

Now I need to connect a Windows MQ Client (V7.0.1.3) Application running under NT AUTHORITY/SYSTEM (Appwatch from BMC) to this particular queue manager.

I've created a kdb, added the three certs from the CA (root-CA, intermediate-CA and online-CA), created a certificate, let the request sign by the online CA and "receive" the certificate into the kdb. This works well.

Now my question is to the required label.

1. I tried some fancy label called ibmwebspheremqappwatch (no appwatch user on either Windows or AIX side). Thought this might work because the Java clients labels also don't match the windows user accounts). No work. First the checking of the CRL failed (http access to the URL mentioned in the certificate DID work). We disabled CRL checking in the mq client ini file. Connection still fails because of the certificate.

2. what label to be used, when the client is running under NT AUTHORIY\SYSTEM ?

3. does the user need to be present on the AIX side, even if we check SSLPEER for OU= ? (MCAUSER will be an existing user with proper OAM privileges).

Felix
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Feb 24, 2011 1:42 am    Post subject: Re: Windows Client V7 to AIX Qmgr v6 via SVRCONN/ssl. Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339
Don't do this:

flaufer wrote:
...the client is running under NT AUTHORIY\SYSTEM...


But ensure the application runs under an identifiable user that can be validly used within a label name. If that can't be done then check the vendor documentation for how it should be done.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Windows Client V7 to AIX Qmgr v6 via SVRCONN/ssl.
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.